lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <696d747e.050a0220.45cdb.5e3e.GAE@google.com>
Date: Sun, 18 Jan 2026 16:02:06 -0800
From: syzbot <syzbot+8bb3e2bee8a429cc76dd@...kaller.appspotmail.com>
To: linux-kernel@...r.kernel.org, syzkaller-bugs@...glegroups.com
Subject: Forwarded: Private message regarding: [syzbot] [mm?] INFO: rcu
 detected stall in sys_execve (6)

For archival purposes, forwarding an incoming command email to
linux-kernel@...r.kernel.org, syzkaller-bugs@...glegroups.com.

***

Subject: Private message regarding: [syzbot] [mm?] INFO: rcu detected stall in sys_execve (6)
Author: kapoorarnav43@...il.com

#syz test

>From ec692e7200eec47b1067ac865b5350125acf8c48 Mon Sep 17 00:00:00 2001
From: Arnav Kapoor <kapoorarnav43@...il.com>
Date: Mon, 19 Jan 2026 05:30:53 +0530
Subject: [PATCH] netfilter: nf_conntrack: limit total entries processed per
 gc_worker call

Limit the gc_worker to process at most 1000 entries per call to prevent
excessive run times and RCU stalls. If the limit is exceeded, reschedule
the worker to continue from the next bucket.

Reported-by: syzbot+8bb3e2bee8a429cc76dd@...kaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=8bb3e2bee8a429cc76dd
---
 net/netfilter/nf_conntrack_core.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/net/netfilter/nf_conntrack_core.c 
b/net/netfilter/nf_conntrack_core.c
index ff901a2b4..4ca315e8b 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -1517,6 +1517,7 @@ static void gc_worker(struct work_struct *work)
        struct conntrack_gc_work *gc_work;
        unsigned int expired_count = 0;
        unsigned long next_run;
+        bool early_break = false;
         unsigned int bucket_count = 0;
        s32 delta_time;
        long count;
@@ -1561,13 +1562,18 @@ static void gc_worker(struct work_struct *work)
                        tmp = nf_ct_tuplehash_to_ctrack(h);
                         entry_count++;
 
-                        if (entry_count > 100) break;
+                        if (entry_count > 1000) { early_break = true; 
break; }
                         cond_resched();
                        if (expired_count > GC_SCAN_EXPIRED_MAX) {
                                rcu_read_unlock();
 
                                gc_work->next_bucket = i;
                                gc_work->avg_timeout = next_run;
+                if (early_break) {
+                        rcu_read_unlock();
+                        gc_work->next_bucket = i;
+                        goto early_exit;
+                }
                                gc_work->count = count;
 
                                delta_time = nfct_time_stamp - 
gc_work->start_time;
-- 
2.43.0

On Monday, 19 January 2026 at 05:29:05 UTC+5:30 syzbot wrote:

Hello, 

syzbot has tested the proposed patch but the reproducer is still triggering 
an issue: 
INFO: rcu detected stall in worker_thread 

rcu: INFO: rcu_preempt detected stalls on CPUs/tasks: 
rcu: 1-...!: (1 GPs behind) idle=3fa4/1/0x4000000000000000 
softirq=23801/23814 fqs=1 
rcu: (detected by 0, t=10503 jiffies, g=17209, q=7435 ncpus=2) 
Sending NMI from CPU 0 to CPUs 1: 
NMI backtrace for cpu 1 
CPU: 1 UID: 0 PID: 5941 Comm: kworker/1:5 Not tainted syzkaller #0 
PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS 
Google 10/25/2025 
Workqueue: events_power_efficient gc_worker 
RIP: 0010:check_region_inline mm/kasan/generic.c:185 [inline] 
RIP: 0010:kasan_check_range+0x19/0x2c0 mm/kasan/generic.c:200 
Code: cc 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1f 40 d6 55 41 
57 41 56 41 55 41 54 53 b0 01 48 85 f6 0f 84 ba 01 00 00 <4c> 8d 04 37 49 
39 f8 0f 82 82 02 00 00 49 b9 00 00 00 00 00 80 ff 
RSP: 0018:ffffc90000a08ba8 EFLAGS: 00000002 
RAX: 00000000ffffff01 RBX: ffffffff99b74750 RCX: ffffffff819e9061 
RDX: 0000000000000001 RSI: 0000000000000004 RDI: ffffc90000a08c20 
RBP: ffffc90000a08c98 R08: ffffffff99b74753 R09: 1ffffffff336e8ea 
R10: dffffc0000000000 R11: fffffbfff336e8eb R12: ffffffff99b74760 
R13: ffffffff99b74758 R14: 1ffffffff336e8ec R15: 1ffffffff336e8eb 
FS: 0000000000000000(0000) GS:ffff888125f1e000(0000) knlGS:0000000000000000 
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 
CR2: 00007ff7a7c27432 CR3: 0000000073668000 CR4: 00000000003526f0 
Call Trace: 
<IRQ> 
instrument_read_write include/linux/instrumented.h:54 [inline] 
atomic_try_cmpxchg_acquire include/linux/atomic/atomic-instrumented.h:1301 
[inline] 
queued_spin_lock include/asm-generic/qspinlock.h:111 [inline] 
do_raw_spin_lock+0x121/0x290 kernel/locking/spinlock_debug.c:116 
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:111 [inline] 
_raw_spin_lock_irqsave+0x4c/0x60 kernel/locking/spinlock.c:162 
debug_object_deactivate+0x6d/0x360 lib/debugobjects.c:873 
debug_hrtimer_deactivate kernel/time/hrtimer.c:443 [inline] 
debug_deactivate+0x1d/0x1e0 kernel/time/hrtimer.c:483 
__run_hrtimer kernel/time/hrtimer.c:1745 [inline] 
__hrtimer_run_queues+0x2b0/0xc30 kernel/time/hrtimer.c:1841 
hrtimer_interrupt+0x45b/0xaa0 kernel/time/hrtimer.c:1903 
local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1045 [inline] 
__sysvec_apic_timer_interrupt+0x102/0x3e0 arch/x86/kernel/apic/apic.c:1062 
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1056 [inline] 
sysvec_apic_timer_interrupt+0xa1/0xc0 arch/x86/kernel/apic/apic.c:1056 
</IRQ> 
<TASK> 
asm_sysvec_apic_timer_interrupt+0x1a/0x20 
arch/x86/include/asm/idtentry.h:697 
RIP: 0010:rcu_is_watching_curr_cpu include/linux/context_tracking.h:-1 
[inline] 
RIP: 0010:rcu_is_watching+0x44/0xb0 kernel/rcu/tree.c:751 
Code: 73 65 49 bf 00 00 00 00 00 fc ff df 4c 8d 34 dd d0 0d 9b 8d 4c 89 f0 
48 c1 e8 03 42 80 3c 38 00 74 08 4c 89 f7 e8 8c 1d 80 00 <48> c7 c3 d8 56 
81 92 49 03 1e 48 89 d8 48 c1 e8 03 42 0f b6 04 38 
RSP: 0018:ffffc90003d77860 EFLAGS: 00000246 
RAX: 1ffffffff1b361bb RBX: 0000000000000001 RCX: 0000000080000001 
RDX: 0000000000000000 RSI: ffffffff8bc086c0 RDI: ffffffff8bc08680 
RBP: ffffffff8983265b R08: 0000000000000000 R09: 0000000000000000 
R10: dffffc0000000000 R11: fffffbfff1f045cf R12: 0000000000000002 
R13: ffffffff8df41aa0 R14: ffffffff8d9b0dd8 R15: dffffc0000000000 
trace_lock_acquire include/trace/events/lock.h:24 [inline] 
lock_acquire+0x5f/0x340 kernel/locking/lockdep.c:5831 
rcu_lock_acquire include/linux/rcupdate.h:331 [inline] 
rcu_read_lock include/linux/rcupdate.h:867 [inline] 
gc_worker+0x28c/0x13d0 net/netfilter/nf_conntrack_core.c:1546 
process_one_work kernel/workqueue.c:3257 [inline] 
process_scheduled_works+0xad1/0x1770 kernel/workqueue.c:3340 
worker_thread+0x8a0/0xda0 kernel/workqueue.c:3421 
kthread+0x711/0x8a0 kernel/kthread.c:463 
ret_from_fork+0x510/0xa50 arch/x86/kernel/process.c:158 
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246 
</TASK> 
rcu: rcu_preempt kthread starved for 10479 jiffies! g17209 f0x0 
RCU_GP_WAIT_FQS(5) ->state=0x0 ->cpu=0 
rcu: Unless rcu_preempt kthread gets sufficient CPU time, OOM is now 
expected behavior. 
rcu: RCU grace-period kthread stack dump: 
task:rcu_preempt state:R running task stack:27416 pid:16 tgid:16 ppid:2 
task_flags:0x208040 flags:0x00080000 
Call Trace: 
<TASK> 
context_switch kernel/sched/core.c:5256 [inline] 
__schedule+0x149b/0x4fd0 kernel/sched/core.c:6863 
__schedule_loop kernel/sched/core.c:6945 [inline] 
schedule+0x165/0x360 kernel/sched/core.c:6960 
schedule_timeout+0x12b/0x270 kernel/time/sleep_timeout.c:99 
rcu_gp_fqs_loop+0x301/0x1540 kernel/rcu/tree.c:2083 
rcu_gp_kthread+0x99/0x390 kernel/rcu/tree.c:2285 
kthread+0x711/0x8a0 kernel/kthread.c:463 
ret_from_fork+0x510/0xa50 arch/x86/kernel/process.c:158 
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246 
</TASK> 
rcu: Stack dump where RCU GP kthread last ran: 
CPU: 0 UID: 0 PID: 6390 Comm: syz-executor Not tainted syzkaller #0 
PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS 
Google 10/25/2025 
RIP: 0010:csd_lock_wait kernel/smp.c:342 [inline] 
RIP: 0010:smp_call_function_many_cond+0xcce/0x1260 kernel/smp.c:877 
Code: 01 31 ff e8 d4 97 0b 00 41 83 e5 01 49 bd 00 00 00 00 00 fc ff df 75 
07 e8 7f 93 0b 00 eb 38 f3 90 42 0f b6 04 2b 84 c0 75 11 <41> f7 04 24 01 
00 00 00 74 1e e8 63 93 0b 00 eb e4 44 89 e1 80 e1 
RSP: 0018:ffffc900031374a0 EFLAGS: 00000246 
RAX: 0000000000000000 RBX: 1ffff110170e8129 RCX: ffff8880254c9e80 
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000 
RBP: ffffc900031375e0 R08: ffffffff8f822e77 R09: 1ffffffff1f045ce 
R10: dffffc0000000000 R11: fffffbfff1f045cf R12: ffff8880b8740948 
R13: dffffc0000000000 R14: ffff8880b863bb00 R15: 0000000000000001 
FS: 0000000000000000(0000) GS:ffff888125e1e000(0000) knlGS:0000000000000000 
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 
CR2: 000055fad049c6d8 CR3: 000000000dd3a000 CR4: 00000000003526f0 
Call Trace: 
<TASK> 
on_each_cpu_cond_mask+0x3f/0x80 kernel/smp.c:1043 
__flush_tlb_multi arch/x86/include/asm/paravirt.h:91 [inline] 
flush_tlb_multi arch/x86/mm/tlb.c:1382 [inline] 
flush_tlb_mm_range+0x60a/0x1170 arch/x86/mm/tlb.c:1472 
tlb_flush arch/x86/include/asm/tlb.h:23 [inline] 
tlb_flush_mmu_tlbonly include/asm-generic/tlb.h:490 [inline] 
tlb_flush_mmu+0x1a7/0x680 mm/mmu_gather.c:403 
tlb_finish_mmu+0xc3/0x1d0 mm/mmu_gather.c:497 
free_ldt_pgtables+0x17b/0x320 arch/x86/kernel/ldt.c:411 
arch_exit_mmap arch/x86/include/asm/mmu_context.h:234 [inline] 
exit_mmap+0x174/0xb10 mm/mmap.c:1263 
__mmput+0x118/0x430 kernel/fork.c:1173 
exit_mm+0x169/0x230 kernel/exit.c:581 
do_exit+0x627/0x22f0 kernel/exit.c:959 
do_group_exit+0x21c/0x2d0 kernel/exit.c:1112 
get_signal+0x1285/0x1340 kernel/signal.c:3034 
arch_do_signal_or_restart+0x9a/0x7a0 arch/x86/kernel/signal.c:337 
__exit_to_user_mode_loop kernel/entry/common.c:41 [inline] 
exit_to_user_mode_loop+0x87/0x4e0 kernel/entry/common.c:75 
__exit_to_user_mode_prepare include/linux/irq-entry-common.h:226 [inline] 
syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:256 
[inline] 
syscall_exit_to_user_mode_work include/linux/entry-common.h:159 [inline] 
syscall_exit_to_user_mode include/linux/entry-common.h:194 [inline] 
do_syscall_64+0x2c1/0xf80 arch/x86/entry/syscall_64.c:100 
entry_SYSCALL_64_after_hwframe+0x77/0x7f 
RIP: 0033:0x7f175fd915dc 
Code: Unable to access opcode bytes at 0x7f175fd915b2. 
RSP: 002b:00007ffd6bb31250 EFLAGS: 00000293 ORIG_RAX: 000000000000002c 
RAX: 0000000000000040 RBX: 00007f1760b14620 RCX: 00007f175fd915dc 
RDX: 0000000000000040 RSI: 00007f1760b14670 RDI: 0000000000000003 
RBP: 0000000000000000 R08: 00007ffd6bb312a4 R09: 000000000000000c 
R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000003 
R13: 0000000000000000 R14: 00007f1760b14670 R15: 0000000000000000 
</TASK> 


Tested on: 

commit: f40ddcc0 Revert "nfc/nci: Add the inconsistency check .. 
git tree: net 
console output: https://syzkaller.appspot.com/x/log.txt?x=16b06852580000 
kernel config: https://syzkaller.appspot.com/x/.config?x=323fe5bdde2384a5 
dashboard link: https://syzkaller.appspot.com/bug?extid=8bb3e2bee8a429cc76dd 
compiler: Debian clang version 20.1.8 
(++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 
20.1.8 
patch: https://syzkaller.appspot.com/x/patch.diff?x=1688eb9a580000

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ